Welcome to my information security blog. I hope the information I publish and comments I provide can offer some insight, for better or worse, into current industry trends, technologies, and innovations.
One of the purposes for this blog is to encourage creative and constructive dialogue, so feel free to comment. If you do, please provide your name.
If you have any feedback or would like to contact me offline, don't hesitate to email me: mike[@]cloppert[.]org

2010-11-22

Let's Enable Cloud Computing

I've been thinking a lot about "cloud computing" over the past few months, and I keep coming back to the same conclusion every time: the InfoSec community is inhibiting IT innovation by throwing up weak, largely unsubstantiated concerns over the security risks of "cloud computing." Overall, our industry's reaction smacks of "fear of the unknown." [1]

After some research[2][3][4][others], I've found that most security-related arguments against cloud computing qualitatively fall into one of the following risks, in no particular order:

Context-hopping. A compromise of one virtual environment may facilitate access to another virtual environment. This is a technical risk.

Supervisory control. A compromise in a virtual environment may lead to an "escape" from that environment to the supervisory process that controls it and other environments. Together with #1, these are also called "VM Escapes." This is a technical risk.

Inferential data loss. Others could make inferences about your environment by inspecting their own (resources available, etc.). This is a technical risk.

Change management. Virtual environments can be changed rapidly, meaning a possible loss of control. This is a procedural risk.

Role confusion. Virtual environments, being controlled by different actors at different layers, may lead to confusion about important task execution (think: backups). This is a procedural risk.

Forensics. Virtual environments may complicate or limit forensic investigations and e-discovery. This is a technical risk.

*Control. In outsourced situations, loss of control of the underlying hardware and supervisory process externalizes certain risk-introducing actions like misconfigurations. It also may inhibit validation of controls at lower levels of the software or hardware, and outsiders have administrative access to the underlying environment. This is an implementation risk.

*Data location. In a virtual environment, the location of data at any given point is uncertain, with possible legal or export control implications. This is an implementation risk.

*Privacy. In outsourced scenarios, another entity dictates the conditions and depth of law enforcement cooperation. This is an implementation risk.

*Continuity. Hosting infrastructure on a company's servers could be at risk if the company folds or experiences other stability issues. This is an implementation risk.

I've marked the risks exclusive to outsourced cloud services with an asterisk.

Let's focus on those risks that impact all implementations of cloud computing; that is, items 1-6. To be blunt, the only risk that deserves special attention is [6] Forensics, because of the loss of the often-invaluable unallocated space on a disk or in memory. Every single one of the technical risks [1]-[3] are already accepted by organizations at the network layer: this includes VLANs, MPLS tagging, and other network abstractions we have been using for years. I've yet to hear an argument as to why we should treat virtualization on the host any differently than we do on the network for these risks. Procedural risks [4] and [5] already exist in production environments, and should already be managed by established processes and organizational responsibility. If these are issues for cloud computing, they're issues for the broader IT organization. If nothing, they are not unique nor limited to the cloud.

Looking at the other half of our risks, again we see risks either already accepted or not specific to cloud computing, with the exception of privacy and possibly data location. Organizations that have this concern, however, can easily work with their provider to manage the privacy risk, and I'm not convinced that the data location issue is a problem - after all, packets are routinely routed around the world irrespective of the export status of their content. In any case, it's likely that this is easily addressed as well. [7] and [10] are already an accepted risk at the network layer by any organization with a WAN managed by an ISP.

In contrast, I'm going to provide a few reasons cloud computing could actually help security, if properly implemented.

Intrusion detection. The supervisory process is a place where all network and host activity can be monitored from a single vantage point. This holds great promise for intrusion detection and behavioral analysis by exposing far more data than could be afforded previously.

Compliance monitoring. User activity could easily be monitored across multiple systems and applications. Restrictions on where data resides could similarly be implemented across systems easily (think: DRM).

Availability (yes, it is a security concern). Redundancy and rapid recovery become far more affordable.

That's just off the top of my head. Of course, with some careful thought and collaboration with virtual machine vendors, other opportunities are likely to arise. However, if our industry takes a "no" stance, in spite of the lack of any appreciable risk increase, we will be cut out of this evolution and lose valuable opportunities to turn cloud computing into a benefit rather than a cost from a security perspective.

I find it appropriate that the iconic security object is a firewall, because this is how most security professionals think. Classic InfoSec mindset is as a gateway; a veto-holding non-voting member of the IT community. The correct role, in my opinion, is as an active participant in technical innovation, architecture, and the engineering process, making sure requirements are met in a way that balances risk with cost - not eliminating risk at extraordinary cost. Compliance and auditing are my key suspects in holding us back from this goal, but that's an argument I'll save for another day.

References

C|Net - Risks outweigh rewards according to most professionals: http://news.cnet.com/8301-1001_3-20001921-92.html

No comments:

About Me

I have been employed in various information technology fields since 1997, and in information security since 2001. I have an undergrad degree in Computer Engineering from the University of Dayton, received various industry certifications (GCIA, GREM, GCFA, etc.), and am currently pursuing a MS in Computer Science from George Washington University. I have lectured on various information security topics to IEEE, internal organization-wide IT conferences, and the annual Department of Defense Cybercrime Convention. My international work experience consists of training on general information security topics and IDS design/implementation onsite in Egypt, Israel, and India, as well as providing incident response assistance in the Far East. I have been a contributing editor to incident response procedures for two major organizations, and have been involved in digital forensic investigations since 2001. Currently, my work consists of security-related research and development, covering topics from vulnerability and exploit reverse engineering to implementation of security technologies, as well as digital forensics for an enterprise Computer Incident Response Team.